search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.29k stars 13.54k forks source link

l2tp VPN's Broken #217628

Open Sepero opened 1 year ago

Sepero commented 1 year ago

Describe the bug

Fail to connect to a l2tp + ipsec VPN after putting in all information. This happens on both Latest Gnome ISO and after NixOS installation. Message received on Gnome Desktop:

Connection Failed
Activation of network connection failed

Steps To Reproduce

Steps to reproduce the behavior:

  1. Boot Live Gnome ISO.
  2. Enter l2tp + ipsec (strongswan) details in NetworkManager.
  3. Turn on VPN connection.

Additional context

There are several fixes listed in this issue #64965

I was able to fix the problem by creating the file sudo touch /etc/ipsec.secrets AFTER creating the connection and failing to connect once. (I also created the file BEFORE creating the connection, but that did not fix the issue.)

After successfully connecting, this was content of file /etc/ipsec.secrets

include ipsec.d/ipsec.nm-l2tp.secrets

The following is the failure output from journalctl

Feb 22 05:41:12 nixos nm-l2tp-service[1994]: Check port 1701
Feb 22 05:41:13 nixos NetworkManager[2009]: Stopping strongSwan IPsec failed: starter is not running
Feb 22 05:41:15 nixos NetworkManager[2006]: Starting strongSwan 5.9.8 IPsec [starter]...
Feb 22 05:41:15 nixos NetworkManager[2006]: Loading config setup
Feb 22 05:41:15 nixos NetworkManager[2006]: Loading conn 'd95bf431-35d6-4d9c-9a65-d380f85fe43b'
Feb 22 05:41:15 nixos ipsec_starter[2006]: Starting strongSwan 5.9.8 IPsec [starter]...
Feb 22 05:41:15 nixos ipsec_starter[2006]: Loading config setup
Feb 22 05:41:15 nixos ipsec_starter[2006]: Loading conn 'd95bf431-35d6-4d9c-9a65-d380f85fe43b'
Feb 22 05:41:15 nixos ipsec_starter[2015]: Attempting to start charon...
Feb 22 05:41:15 nixos charon[2017]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 5.15.89, x86_64)
Feb 22 05:41:16 nixos charon[2017]: 00[CFG] PKCS11 module '<name>' lacks library path
Feb 22 05:41:16 nixos charon[2017]: 00[LIB] providers loaded by OpenSSL: legacy default
Feb 22 05:41:16 nixos kernel: NET: Registered PF_ALG protocol family
Feb 22 05:41:17 nixos kernel: cryptd: max_cpu_qlen set to 1000
Feb 22 05:41:17 nixos kernel: AVX or AES-NI instructions are not detected.
Feb 22 05:41:17 nixos kernel: AVX or AES-NI instructions are not detected.
Feb 22 05:41:18 nixos kernel: CPU feature 'AVX registers' is not supported.
Feb 22 05:41:18 nixos kernel: CPU feature 'AVX registers' is not supported.
Feb 22 05:41:18 nixos kernel: CPU feature 'AVX registers' is not supported.
Feb 22 05:41:18 nixos kernel: CPU feature 'AVX registers' is not supported.
Feb 22 05:41:19 nixos kernel: Initializing XFRM netlink socket
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] dnscert plugin is disabled
Feb 22 05:41:19 nixos charon[2017]: 00[NET] using forecast interface enp1s0
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] loading ca certificates from '/nix/store/rw2mmv8rn0k90vjrks16l09j8p9r78v9-strongswan-5.9.8/etc/ipsec.d/cacerts'
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] loading aa certificates from '/nix/store/rw2mmv8rn0k90vjrks16l09j8p9r78v9-strongswan-5.9.8/etc/ipsec.d/aacerts'
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] loading ocsp signer certificates from '/nix/store/rw2mmv8rn0k90vjrks16l09j8p9r78v9-strongswan-5.9.8/etc/ipsec.d/ocspcerts'
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] loading attribute certificates from '/nix/store/rw2mmv8rn0k90vjrks16l09j8p9r78v9-strongswan-5.9.8/etc/ipsec.d/acerts'
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] loading crls from '/nix/store/rw2mmv8rn0k90vjrks16l09j8p9r78v9-strongswan-5.9.8/etc/ipsec.d/crls'
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] loading secrets from '/nix/store/rw2mmv8rn0k90vjrks16l09j8p9r78v9-strongswan-5.9.8/etc/ipsec.secrets'
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] expanding file expression '/etc/ipsec.secrets' failed
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] opening triplet file /nix/store/rw2mmv8rn0k90vjrks16l09j8p9r78v9-strongswan-5.9.8/etc/ipsec.d/triplets.dat failed: No such file or directory
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] loaded 0 RADIUS server configurations
Feb 22 05:41:19 nixos charon[2017]: 00[CFG] no script for ext-auth script defined, disabled
Feb 22 05:41:19 nixos charon[2017]: 00[LIB] loaded plugins: charon unbound pkcs11 aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey dnscert pem openssl pkcs8 af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-eap xauth-pam dhcp counters
Feb 22 05:41:19 nixos charon[2017]: 00[JOB] spawning 16 worker threads
Feb 22 05:41:19 nixos ipsec_starter[2015]: charon (2017) started after 3240 ms
Feb 22 05:41:19 nixos charon[2017]: 05[CFG] received stroke: add connection 'd95bf431-35d6-4d9c-9a65-d380f85fe43b'
Feb 22 05:41:19 nixos charon[2017]: 05[CFG] added configuration 'd95bf431-35d6-4d9c-9a65-d380f85fe43b'
Feb 22 05:41:19 nixos charon[2017]: 08[CFG] rereading secrets
Feb 22 05:41:19 nixos charon[2017]: 08[CFG] loading secrets from '/nix/store/rw2mmv8rn0k90vjrks16l09j8p9r78v9-strongswan-5.9.8/etc/ipsec.secrets'
Feb 22 05:41:19 nixos charon[2017]: 08[CFG] expanding file expression '/etc/ipsec.secrets' failed
Feb 22 05:41:20 nixos charon[2017]: 10[CFG] received stroke: initiate 'd95bf431-35d6-4d9c-9a65-d380f85fe43b'
Feb 22 05:41:20 nixos charon[2017]: 11[IKE] initiating Main Mode IKE_SA d95bf431-35d6-4d9c-9a65-d380f85fe43b[1] to 5.188.0.216
Feb 22 05:41:20 nixos charon[2017]: 11[IKE] initiating Main Mode IKE_SA d95bf431-35d6-4d9c-9a65-d380f85fe43b[1] to 5.188.0.216
Feb 22 05:41:20 nixos charon[2017]: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Feb 22 05:41:20 nixos charon[2017]: 11[NET] sending packet: from 10.0.2.15[500] to 5.188.0.216[500] (532 bytes)
Feb 22 05:41:20 nixos charon[2017]: 12[NET] received packet: from 5.188.0.216[500] to 10.0.2.15[500] (136 bytes)
Feb 22 05:41:20 nixos charon[2017]: 12[ENC] parsed ID_PROT response 0 [ SA V V V ]
Feb 22 05:41:20 nixos charon[2017]: 12[IKE] received XAuth vendor ID
Feb 22 05:41:20 nixos charon[2017]: 12[IKE] received DPD vendor ID
Feb 22 05:41:20 nixos charon[2017]: 12[IKE] received NAT-T (RFC 3947) vendor ID
Feb 22 05:41:20 nixos charon[2017]: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Feb 22 05:41:20 nixos charon[2017]: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 22 05:41:20 nixos charon[2017]: 12[NET] sending packet: from 10.0.2.15[500] to 5.188.0.216[500] (396 bytes)
Feb 22 05:41:20 nixos charon[2017]: 13[NET] received packet: from 5.188.0.216[500] to 10.0.2.15[500] (396 bytes)
Feb 22 05:41:20 nixos charon[2017]: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 22 05:41:20 nixos charon[2017]: 13[IKE] no shared key found for '10.0.2.15'[10.0.2.15] - '%any'[5.188.0.216]
Feb 22 05:41:20 nixos charon[2017]: 13[IKE] no shared key found for 10.0.2.15 - 5.188.0.216
Feb 22 05:41:20 nixos charon[2017]: 13[ENC] generating INFORMATIONAL_V1 request 2435400788 [ N(INVAL_KE) ]
Feb 22 05:41:20 nixos charon[2017]: 13[NET] sending packet: from 10.0.2.15[500] to 5.188.0.216[500] (56 bytes)
Feb 22 05:41:20 nixos NetworkManager[2180]: initiating Main Mode IKE_SA d95bf431-35d6-4d9c-9a65-d380f85fe43b[1] to 5.188.0.216
Feb 22 05:41:20 nixos NetworkManager[2180]: generating ID_PROT request 0 [ SA V V V V V ]
Feb 22 05:41:20 nixos NetworkManager[2180]: sending packet: from 10.0.2.15[500] to 5.188.0.216[500] (532 bytes)
Feb 22 05:41:20 nixos NetworkManager[2180]: received packet: from 5.188.0.216[500] to 10.0.2.15[500] (136 bytes)
Feb 22 05:41:20 nixos NetworkManager[2180]: parsed ID_PROT response 0 [ SA V V V ]
Feb 22 05:41:20 nixos NetworkManager[2180]: received XAuth vendor ID
Feb 22 05:41:20 nixos NetworkManager[2180]: received DPD vendor ID
Feb 22 05:41:20 nixos NetworkManager[2180]: received NAT-T (RFC 3947) vendor ID
Feb 22 05:41:20 nixos NetworkManager[2180]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Feb 22 05:41:20 nixos NetworkManager[2180]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 22 05:41:20 nixos NetworkManager[2180]: sending packet: from 10.0.2.15[500] to 5.188.0.216[500] (396 bytes)
Feb 22 05:41:20 nixos NetworkManager[2180]: received packet: from 5.188.0.216[500] to 10.0.2.15[500] (396 bytes)
Feb 22 05:41:20 nixos NetworkManager[2180]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 22 05:41:20 nixos NetworkManager[2180]: no shared key found for '10.0.2.15'[10.0.2.15] - '%any'[5.188.0.216]
Feb 22 05:41:20 nixos NetworkManager[2180]: no shared key found for 10.0.2.15 - 5.188.0.216
Feb 22 05:41:20 nixos NetworkManager[2180]: generating INFORMATIONAL_V1 request 2435400788 [ N(INVAL_KE) ]
Feb 22 05:41:20 nixos NetworkManager[2180]: sending packet: from 10.0.2.15[500] to 5.188.0.216[500] (56 bytes)
Feb 22 05:41:20 nixos NetworkManager[2180]: establishing connection 'd95bf431-35d6-4d9c-9a65-d380f85fe43b' failed
Feb 22 05:41:20 nixos NetworkManager[2186]: Stopping strongSwan IPsec...
Feb 22 05:41:20 nixos charon[2017]: 00[DMN] SIGINT received, shutting down
Feb 22 05:41:20 nixos ipsec_starter[2015]: child 2017 (charon) has quit (exit code 0)
Feb 22 05:41:20 nixos ipsec_starter[2015]: 
Feb 22 05:41:20 nixos ipsec_starter[2015]: charon stopped after 200 ms
Feb 22 05:41:20 nixos ipsec_starter[2015]: ipsec starter stopped
Feb 22 05:41:20 nixos nm-l2tp-service[1994]: Could not establish IPsec connection.
Feb 22 05:41:20 nixos nm-l2tp-service[1994]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

Metadata

From ISO

hicksca commented 1 year ago

I was also having issues and tried the above suggested by @Sepero and was able to connect only after a failed connection

image

Sepero commented 11 months ago

This seems to fix the bug https://github.com/NixOS/nixpkgs/issues/64965#issuecomment-741920446

May we have this added to the default package?

@abbradar @obadz